malwarewikiaorg_it-20200215-history
Utente:TheMaster001/Sandbox
Virus.DOS.Beda, oppure semplicemente Beda, è un virus parassita residente nella memoria su DOS; alcune varianti hanno la capacità di autocriptarsi. Esistono 16 varianti in 6 versioni, rappresentate dalle seguenti: *Virus.DOS.Beda.332 *Virus.DOS.Beda.337 *Virus.DOS.Beda.609 *Virus.DOS.Beda.883 *Virus.DOS.Beda.1530 *Virus.DOS.Beda.3233 Comportamento Quando il virus è caricato nella memoria, prende controllo di INT 21h e si scrive alla fine dei file eseguiti o chiusi. Quando un file infetto è aperto, il virus lo disinfetta temporaneamente, per poi infettarlo di nuovo alla chiusura del file. Il virus usa il valore esadecimale BEDAh come identificazione per i file infetti e al rilevamento della copia TSR del virus che è stata caricata. Durante l'infezione, il virus può corrompere il file da infettare, mandando in crash il sistema quando il file è eseguito. Le dimensioni dell'infezione variano per tutte le varianti eccetto Beda.332. Beda.332 Si crede che questa variante sia la prima versione della famiglia Beda. Esso infetta solo gli eseguibili DOS, ma contiene dei bug che fanno sì che non ogni file eseguito sia infettato. Siccome non controlla se il file è già stato infettato, il virus può reinfettarlo all'esecuzione, causando not check whether a file has already infected so it would reinfect when the file is run again, thus to grow the size of the file. La marca temporale dei file infetti è cambiata all'orario di infezione. Beda.337, 403, 419, 420, 552, 883, 1196 and 1301 Unlike Beda.332, they infect every DOS executable that is run, and they do not reinfect files. For Beda.337, 403, 419 and 420, the timestamp of the infected files will be changed to the time of infection. While that for the rest, it will be malformed by changing the date to random values and 23:54:52 for the time. Beda.609 This is the only variante that infects EXE executables only, and the timestamp will be changed to the time of infection. Additionally, this variante contains bugs that might cause a system crash due to attempting to access an invalid part of memoria during execution. Beda.1314, 1530, 1724 and 1857 These varianti infect every executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time. Beda.3233 and 3291 These are encrypted varianti. They infect every DOS executable that is run, and the timestamp of the infected files will be malformed by changing the date to invalid values and 23:54:52 for the time. Per eseguibili EXE, not every file would be infected by these varianti. Utilizzo della memoria The following table shows the memory usage of the varianti. Payload Beda.332, 337, 420 and 609 These varianti do not manifest themselves at any way. Beda.403 When a file infected by this variante is run, the virus appends 4 extra blank lines and a message: WOODPECKER WARNING ! And then it thickens the cursor to insert mode style. Beda.419 and 552 These varianti play a cord from the PC speaker when an infected file is run. Beda.883, 1196 and 1301 These varianti manifest themselves with a video effect, they draw 3 moving color bars (red, green and blue) on screen, it can be cleared and would return to DOS upon a keypress. This is the only version that would produce the video effect. Beda.1314 This variante is a pre-release of the file deleting version (Beda.1530 and so on) and it does not manifest itself at anyway. Beda.1530, 1724, 1857, 3233 and 3291 These varianti are relatively dangerous. They detect every file whether the filename begins with any of the following text strings in attempt to delete anti-virus programs: -V AIDSTEST A-DINF WEB When such program is run, the virus outputs a message: Bad Command or file name And then it deletes the file which is same as that of Jerusalem. They also hook INT 9, and depending on their internal counters they change the keys that are entered: n -> y N -> Y Except Beda.1530, when an infected program is run in November or December, the virus resets the computer. If COMMAND.COM has been infected, the computer would keep on resetting in an infinite loop in these months. Beda.3233 and 3291 contain another payload but the method of activation is currently unknown. Varianti The complete list of varianti of the Beda family: * Virus.DOS.Beda.332 * Virus.DOS.Beda.337 * Virus.DOS.Beda.403 * Virus.DOS.Beda.419 * Virus.DOS.Beda.420 * Virus.DOS.Beda.552 * Virus.DOS.Beda.609 * Virus.DOS.Beda.883 * Virus.DOS.Beda.1196 * Virus.DOS.Beda.1301 * Virus.DOS.Beda.1314 * Virus.DOS.Beda.1530 * Virus.DOS.Beda.1724 * Virus.DOS.Beda.1857 * Virus.DOS.Beda.3233 * Virus.DOS.Beda.3291 Other details A noticeable delay can be observed when a file infected by Beda.1301, 1196, 1314, 1530 or 1857 is run. Beda.403 contains the internal text string: WOODPECKER WARNING ! Beda.1724 contains the internal text string: 07/28/98 Beda.1857 contains the internal text string: 05/05/91 Beda.3291 contains the encrypted internal text strings: WHY YOU ADD IN MY FAMILY VIRUSES beda AND beda Video